Tcpdump is a commandline tool that is used to dump traffic on a network. This tool comes in hand when you want to analyse network captures within the command line. Basically it can do most of the wireshark job.
NOTE This guide might not be complete it just serve as a reference to me.
To be fair: This gist is itself a fork I created some time ago, but the original gist or author seems to not exist anymore, and it looks like that I'm now in the lead ;-) Please see the revision history for details.
Furthermore some more and basic advanced examples may be of interest (thanks to twitter://@howtouselinux1):
The following are some of options that I prefer when using tcpdump
for my
daily use.
tcpdump [OPTIONS]
-i any : Listen to all the interfaces
-i virbr0: Listen to a specific interface virbr0
-D: Show the list of available interface
-n: Don't resolve the hostnames
-nn: Don't resolve hostnames or port names.
-q: quite output
-t: Don't print a timestamp on each dump line.
-tttt: Give maximally human-readbale timestamp output
-X: Show the packet's contents in both HEX ad ASCII
-XX: Same as -X but shows the ethernet header.
-v, -vv, -vvv: Being more verbose(increase number of packet information)
-c: Only capture number of packets and stop
-s: Define the snaplength(size) of the capture in bytes. Use -s0 to get
everything.
-S: Print absolute sequence numbers.
-e: Get the ethernet header as well
-E: Decrypt IPSEC traffic by providing an encryption key.
tcpdump
allow us to use expression so we can narrow down our solution to get
exactly what we're looking for.
There are 3 types of expression: type
, dir
and proto
- Type options are:
host
,net
, andport
- Direction are:
src
anddst
- Protocol :
tcp
,udp
,icmp
,ah
etc
-
Basic communication to see what happens on the network
$ tcpdump -i any
-
Monitor specific interface
$ tcpdump -i virbr0
-
Raw output view with verbose output,no host/port resolution,absolute sequence number and human-readable timestamps.
$ tcpdump -ttttnnvvS
-
Find traffic by IP
$ tcpdump host 192.168.122.131
-
Seeing packets with HEX output
$ tcpdump -nnvXSs 0 -c1 icmp
-
Filtering by Source and Destination
$ tcpdump src 192.168.122.131 $ tcpdump dst 192.168.122.14
-
Finding packets by network
$ tcpdump net 192.168.122.0/24
-
Show traffic related to a specific port
$ tcpdump port 3389
-
Show traffic of one protocol
$ tcpdump icmp
-
Show only IPv6 Traffic
$ tcpdump ip6
-
Find traffic using Port ranges
$ tcpdump portrange 21-25
-
Find traffic base on packet size
$ tcpdump less 32 $ tcpdump greater 32 $ tcpdump <= 102
-
Writing captures to a file
$ tcpdump port 80 -w output
-
Reading from pcap files
$ tcpdump -r output.pcap
-
Options Combination
- AND :
and
or&&
- OR :
or
or||
- EXCEPT :
not
or!
$ tcpdump -nnvvS src 192.168.122.1 and dst port 4444
- AND :
-
Complex grouping and special characters For complex grouping we use
()
to specify our options$ tcpdump 'src 192.168.122.84 and (dst port 4444 or 22)'
-
Isolating Specific TCP Flags. The filter
tcp[13]
look at offset 13 inTCP HEADER
,hence the number represent the location within the byte, while the!=0
means that the flag is set to 1.
Show all URGENT (URG) packets\$ tcpdump 'tcp[13] & 32!=0'
Show all ACKNOWLEDGE( ACK) packets\
$ tcpdump 'tcp[13] & 16!=0'
Show all PUSH (PSH) packets\
$ tcpdump 'tcp[13] & 8!=0'
Show all RESET (RST packets\
$ tcpdump 'tcp[13] & 4!=0'
Show all SYNCHRONIZE (SYN) packets\
$ tcpdump 'tcp[13] & 2!=0'
Show all FINISH (FIN) packets\
$ tcpdump 'tcp[13] & 1!=0'
Show all SYNCRONIZE/ACKNOWLEDGE (SYNACK) packets\
$ tcpdump 'tcp[13]=18'
Alternative we could also use
tcpflags
syntax$ tcpdump 'tcp[tcpflags] == tcp-syn' $ tcpdump 'tcp[tcpflags] == tcp-rst' $ tcpdump 'tcp[tcpflags] == tcp-fin'
-
Identifying malformed/malicious packets.
-
Packets with both rst and syn flags shouldn't be the case.
$ tcpdump 'tcp=[13] = 6'
-
Find cleartext http get requests
$ tcpdump 'tcp[32:4] = 0x47455420'
-
Find ssh connection on any port via (banner text)
$ # tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
-